13 files changed, 543 insertions, 0 deletions

diff --git a/test/seccomp-extra/block-secondary.exp b/test/seccomp-extra/block-secondary.exp
new file mode 100755
index 000000000..1db512126
--- /dev/null
+++ b/test/seccomp-extra/block-secondary.exp
@@ -0,0 +1,43 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+# 64 bit architecture - seccomp.block-secondary
+send --  "firejail --debug --seccomp.block-secondary pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 6\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter"
+}
+after 500
+
+# 64 bit architecture - seccomp.block-secondary, profile
+send --  "firejail --debug --profile=block-secondary.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 8\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 10\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp seccomp filter"
+}
+after 500
+puts "all done\n"
diff --git a/test/seccomp-extra/block-secondary.profile b/test/seccomp-extra/block-secondary.profile
new file mode 100644
index 000000000..e32056c3d
--- /dev/null
+++ b/test/seccomp-extra/block-secondary.profile
@@ -0,0 +1 @@
+seccomp.block-secondary
diff --git a/test/seccomp-extra/memwrexe b/test/seccomp-extra/memwrexe
new file mode 100755
index 000000000..82ea7631f
--- /dev/null
+++ b/test/seccomp-extra/memwrexe
diff --git a/test/seccomp-extra/memwrexe.c b/test/seccomp-extra/memwrexe.c
new file mode 100644
index 000000000..548320df9
--- /dev/null
+++ b/test/seccomp-extra/memwrexe.c
@@ -0,0 +1,105 @@
+// This file is part of Firejail project
+// Copyright (C) 2014-2023 Firejail Authors
+// License GPL v2
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+
+static void usage(void) {
+        printf("memwrexe options\n");
+        printf("where options is:\n");
+        printf("\tmmap - mmap test\n");
+        printf("\tmprotect - mprotect test\n");
+        printf("\tmemfd_create - memfd_create test\n");
+}
+
+int main(int argc, char **argv) {
+        if (argc != 2) {
+                fprintf(stderr, "TESTING ERROR: memwrexe insufficient params\n");
+                usage();
+                return 1;
+        }
+
+        if (strcmp(argv[1], "mmap") == 0) {
+                // open some file
+                int fd = open("memwrexe.c", O_RDONLY);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+
+                int size = lseek(fd, 0, SEEK_END);
+                if (size == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+
+                void *p = mmap (0, size, PROT_WRITE|PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0);
+                if (p == MAP_FAILED) {
+                        printf("mmap failed\n");
+                        return 0;
+                }
+
+                printf("mmap successful\n");
+
+                // wait for expect to timeout
+                sleep(100);
+
+                return 0;
+        }
+
+        else if (strcmp(argv[1], "mprotect") == 0) {
+                // open some file
+                int fd = open("memwrexe.c", O_RDWR);
+                if (fd == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+
+                int size = lseek(fd, 0, SEEK_END);
+                if (size == -1) {
+                        fprintf(stderr, "TESTING ERROR: file not found, cannot run mmap test\n");
+                        return 1;
+                }
+
+                void *p = mmap (0, size, PROT_READ, MAP_SHARED, fd, 0);
+                if (p == MAP_FAILED) {
+                        fprintf(stderr, "TESTING ERROR: cannot map file for mprotect test\n");
+                        return 1;
+                }
+
+                int rv = mprotect(p, size, PROT_READ|PROT_WRITE|PROT_EXEC);
+                if (rv) {
+                        printf("mprotect failed\n");
+                        return 1;
+                }
+
+                printf("mprotect successful\n");
+
+                // wait for expect to timeout
+                sleep(100);
+
+                return 0;
+        }
+
+        else if (strcmp(argv[1], "memfd_create") == 0) {
+                int fd = syscall(SYS_memfd_create, "memfd_create", 0);
+                if (fd == -1) {
+                        printf("memfd_create failed\n");
+                        return 1;
+                }
+                printf("memfd_create successful\n");
+
+                // wait for expect to timeout
+                sleep(100);
+
+                return 0;
+        }
+}
diff --git a/test/seccomp-extra/mrwx.exp b/test/seccomp-extra/mrwx.exp
new file mode 100755
index 000000000..403bc852f
--- /dev/null
+++ b/test/seccomp-extra/mrwx.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+
+
+# memory-deny-write-execute
+send --  "firejail --debug --memory-deny-write-execute pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+after 500
+
+send --  "firejail --debug --profile=mrwx.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter"
+}
+after 500
+
+
+after 500
+puts "all done\n"
diff --git a/test/seccomp-extra/mrwx.profile b/test/seccomp-extra/mrwx.profile
new file mode 100644
index 000000000..46d6cedee
--- /dev/null
+++ b/test/seccomp-extra/mrwx.profile
@@ -0,0 +1 @@
+memory-deny-write-execute
diff --git a/test/seccomp-extra/mrwx2.exp b/test/seccomp-extra/mrwx2.exp
new file mode 100755
index 000000000..4703a4014
--- /dev/null
+++ b/test/seccomp-extra/mrwx2.exp
@@ -0,0 +1,46 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send --  "firejail --memory-deny-write-execute ./memwrexe mmap\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "mmap successful" {puts "TESTING ERROR 2\n";exit}
+        "Parent is shutting down"
+}
+after 500
+
+send --  "firejail --memory-deny-write-execute ./memwrexe mprotect\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "mprotect successful" {puts "TESTING ERROR 12\n";exit}
+        "Parent is shutting down"
+}
+after 500
+
+send --  "firejail --memory-deny-write-execute ./memwrexe memfd_create\r"
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "memfd_create successful" {puts "TESTING ERROR 22\n";exit}
+        "Parent is shutting down"
+}
+
+after 500
+puts "\nall done\n"
diff --git a/test/seccomp-extra/noroot.exp b/test/seccomp-extra/noroot.exp
new file mode 100755
index 000000000..eeb82833e
--- /dev/null
+++ b/test/seccomp-extra/noroot.exp
@@ -0,0 +1,136 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --noroot --noprofile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 1
+
+# check seccomp disabled and all caps enabled
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "ffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+
+send -- "whoami\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        $env(USER)
+}
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+
+send -- "sudo su -\r"
+expect {
+        timeout {puts "TESTING ERROR 9\n";exit}
+        "effective uid is not 0" {puts "OK\n"}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+
+send -- "sudo ls\r"
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "effective uid is not 0" {puts "OK\n"}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+}
+
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "9"
+}
+
+
+
+spawn $env(SHELL)
+send -- "firejail --debug --join=test\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "Joining user namespace"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "Child process initialized"
+}
+sleep 1
+
+send -- "sudo -s\r"
+expect {
+        timeout {puts "TESTING ERROR 15\n";exit}
+        "effective uid is not 0, is sudo installed setuid root?" { puts "OK\n";}
+        "sudo must be owned by uid 0 and have the setuid bit set" { puts "OK\n";}
+        "Permission denied" { puts "OK\n";}
+}
+send -- "cat /proc/self/uid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 16\n";exit}
+        "1"
+}
+send -- "cat /proc/self/gid_map | wc -l\r"
+expect {
+        timeout {puts "TESTING ERROR 17\n";exit}
+        "9"
+}
+
+# check seccomp disabled and all caps enabled
+send -- "cat /proc/self/status\r"
+expect {
+        timeout {puts "TESTING ERROR 18\n";exit}
+        "CapBnd:"
+}
+expect {
+        timeout {puts "TESTING ERROR 19\n";exit}
+        "ffffffff"
+}
+expect {
+        timeout {puts "TESTING ERROR 20\n";exit}
+        "Seccomp:"
+}
+expect {
+        timeout {puts "TESTING ERROR 21\n";exit}
+        "0"
+}
+expect {
+        timeout {puts "TESTING ERROR 22\n";exit}
+        "Cpus_allowed:"
+}
+puts "\n"
+
+
+after 500
+puts "\nall done\n"
diff --git a/test/seccomp-extra/protocol-print.exp b/test/seccomp-extra/protocol-print.exp
new file mode 100755
index 000000000..7e76e6ff6
--- /dev/null
+++ b/test/seccomp-extra/protocol-print.exp
@@ -0,0 +1,59 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test0\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+
+spawn $env(SHELL)
+send -- "firejail --name=test1 --profile=protocol1.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --name=test2 --profile=protocol2.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --protocol.print=test0\r"
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "packet" {puts "TESTING ERROR 4\n";exit}
+        "unix,inet,inet6"
+}
+after 500
+
+send -- "firejail --protocol.print=test1\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "inet" {puts "TESTING ERROR 6\n";exit}
+        "unix"
+}
+after 500
+
+send -- "firejail --protocol.print=test2\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "unix" {puts "TESTING ERROR 8\n";exit}
+        "inet6,packet"
+}
+after 500
+
+puts "\nall done\n"
diff --git a/test/seccomp-extra/protocol.exp b/test/seccomp-extra/protocol.exp
new file mode 100755
index 000000000..5844e1de3
--- /dev/null
+++ b/test/seccomp-extra/protocol.exp
@@ -0,0 +1,87 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --noprofile --protocol=unix --debug pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "0009: 20 00 00 00000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "000f: 20 00 00 00000010"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "0010: 15 00 01 00000001"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0011: 06 00 00 7fff0000"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "0012: 06 00 00 0005005f"
+}
+
+after 500
+
+send -- "firejail --noprofile --protocol=bluetooth --debug pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "0009: 20 00 00 00000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "000f: 20 00 00 00000010"
+}
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "0010: 15 00 01 0000001f"
+}
+expect {
+        timeout {puts "TESTING ERROR 14\n";exit}
+        "0011: 06 00 00 7fff0000"
+}
+expect {
+        timeout {puts "TESTING ERROR1 5\n";exit}
+        "0012: 06 00 00 0005005f"
+}
+after 500
+
+send -- "firejail --noprofile --protocol=inet,inet6 --debug pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "0009: 20 00 00 00000000"
+}
+expect {
+        timeout {puts "TESTING ERROR 32\n";exit}
+        "000f: 20 00 00 00000010"
+}
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "0010: 15 00 01 00000002"
+}
+expect {
+        timeout {puts "TESTING ERROR 34\n";exit}
+        "0011: 06 00 00 7fff0000"
+}
+expect {
+        timeout {puts "TESTING ERROR1 35\n";exit}
+        "0012: 15 00 01 0000000a"
+}
+expect {
+        timeout {puts "TESTING ERROR 36\n";exit}
+        "0013: 06 00 00 7fff0000"
+}
+expect {
+        timeout {puts "TESTING ERROR 37\n";exit}
+        "0014: 06 00 00 0005005f"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/seccomp-extra/protocol1.profile b/test/seccomp-extra/protocol1.profile
new file mode 100644
index 000000000..3e1ea2a29
--- /dev/null
+++ b/test/seccomp-extra/protocol1.profile
@@ -0,0 +1 @@
+protocol unix
diff --git a/test/seccomp-extra/protocol2.profile b/test/seccomp-extra/protocol2.profile
new file mode 100644
index 000000000..b7eb4ab91
--- /dev/null
+++ b/test/seccomp-extra/protocol2.profile
@@ -0,0 +1 @@
+protocol inet6,packet
diff --git a/test/seccomp-extra/seccomp-extra.sh b/test/seccomp-extra/seccomp-extra.sh
new file mode 100755
index 000000000..50852f7e0
--- /dev/null
+++ b/test/seccomp-extra/seccomp-extra.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+export LC_ALL=C
+
+echo "TESTING: protocol (test/seccomp-extras/protocol-print.exp)"
+./protocol.exp
+
+echo "TESTING: protocol.print (test/seccomp-extras/protocol-print.exp)"
+./protocol-print.exp
+
+echo "TESTING: noroot (test/seccomp-extras/noroot.exp)"
+./noroot.exp
+
+echo "TESTING: mrwx (test/seccomp-extras/mrwx.exp)"
+./mrwx.exp
+
+echo "TESTING: mrwx2 (test/seccomp-extras/mrwx.exp)"
+./mrwx2.exp
+
+echo "TESTING: block-secondary (test/seccomp-extras/block-secondary.exp)"
+./block-secondary.exp